i would test with 'from any' just to see if the problem came from that then correct it (reader miss the <lan> declaration)
2012/8/20 lilit-aibolit <[email protected]> > I have internal ftp-server. > To give access for it from Internet I use ftp-proxy: > > ftpproxy_flags="-R ftp_server -p 21 -b ext_ip" > > and rules: > > anchor "ftp-proxy/*" > pass in on $ext_if inet proto tcp from any to (em1) port ftp > pass out on $int_if inet proto tcp from any to <ftp_server> port ftp user > proxy > > and this work. But I need to give access to external ftp-servers from my > lan. > I use rules: > > match out on $ext_if inet proto tcp from <lan> to any nat-to (em1) > pass in on $int_if inet proto tcp from <lan> to any port { ftp, >49151 } > pass out on $ext_if inet proto tcp from (em1) to any port { ftp, >49151 } > > and it not work from lan: > > ftp> open ftpserver > Connected to ftpserver. > 220 www.ftpserver FTP server ready. > User (ftpserver:(none)): user > 331 Password required for user. > Password: > 230 User user logged in. > ftp> dir > 500 Illegal PORT rejected (address wrong). > 425 Can't build data connection: Connection refused. > ftp> dir > 425 Can't build data connection: Connection refused. > ftp> quit > 221 Goodbye. > > what is wrong with my config? > thanks. > > -- --------------------------------------------------------------------------------------------------------------------- () ascii ribbon campaign - against html e-mail /\
